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Abstract 

The concern for reducing aviation safety risk is 
rising as the National Airspace System in the United 
States transforms to the Next Generation Air 
Transportation System (NextGen). The NASA 
Aviation Safety Program is committed to developing 
an effective aviation safety technology portfolio to 
meet the challenges of this transformation and to 
mitigate relevant safety risks. The paper focuses on the 
reasoning of selecting Object-Oriented Bayesian 
Networks (OOBN) as the technique and commercial 
software for the accident modeling and portfolio 
assessment. To illustrate the benefits of OOBN in a 
large and complex aviation accident model, the in- 
flight Loss-of-Control Accident Framework (LOCAF) 
constructed as an influence diagram is presented. An 
OOBN approach not only simplifies construction and 
maintenance of complex causal networks for the 
modelers, but also offers a well-organized hierarchical 
network that is easier for decision makers to exploit the 
model examining the effectiveness of risk mitigation 
strategies through technology insertions. 

Introduction 

The air transport system is fast growing; the public 
benefits from this continued growth depend on the safe, 
efficient and effective operations of air vehicles. With 
significant demand in aircraft operations, the Next 
Generation Air Transportation System (NextGen) 
concept of operations are developed to transform the 
existing air travel system, achieving an operation of 
exceptional levels of safety, flexibility, efficiency, and 
robustness in a more complex and demanding 
environment. With the anticipated increase of travel 
and new operations in NextGen, aviation safety and 
risk which have always been issues of a great 
importance due to the inherent complexity and severe 
accident consequences now become all more pressing. 

The overall goal of the NASA Aviation Safety 
Program (AvSP) is to “conduct cutting-edge research 
that will produce innovative concepts, tools, and 
technologies to improve the intrinsic safety attributes 
of current and future aircraft,” (Shin, 2011). The AvSP 
uses the results of systems analyses, assessments and 
studies for programmatic decision-making, safety 


research portfolio prioritization and communication. A 
qualitative system analysis of the NASA AvSP was 
conducted to identify historic and future safety issues 
and to evaluate the potential impact of the AvSP 
technology portfolio on these issues (Jones et ah, 
2010). This qualitative assessment provided a better 
understanding of the potential impact of the AvSP 
technology portfolio on aviation safety, but was 
lacking any quantitative analysis of the impact of these 
aviation technology products on safety risk mitigation. 
To this end, a quantitative analysis approach was 
needed that: (1) was flexible and robust to model 
complex aviation accidents and (2) provided the 
capability to assess the portfolio impact on the 
reduction of aviation system risk while the current air 
transportation system is transformed to NextGen 
operations. 

In this paper, a brief review is given to some 
commonly used aviation risk and safety 
methods/models as a path to select an appropriate 
probabilistic methodology and software package for 
the set purposes. The object-oriented Bayesian Belief 
Network (OOBN) suggested in this paper lends itself 
to large and complex aviation accident modeling and 
technology portfolio assessment. In addition to having 
all the features (inference and updates) as a traditional 
Bayesian network, the object-oriented concept allows 
modular, less-cluttered designs of a complex causal 
model in a dynamic environment. To illustrate the 
benefits of applying OOBN, the paper includes a loss- 
of-control (LOC) accident model constructed using 
Hugin Expert (Hugin, 2012) software . The 
technology portfolio evaluation is conducted through 
the incorporation of safety products as decision nodes 
in the model. The projected impact of the AvSP 
products on the accident risk is assessed by comparing 
the predicted likelihood values of LOC with and 
without the products. 

Overview of Aviation Risk and Safety 
Methods/Models 

Researchers at the National Aerospace Laboratory 
of the Netherlands (NLR) identified more than 720 
safety methods (Everdij et ah, 2010), and over 100 of 
these have been applied in aviation domains. The 
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purpose of these qualitative and quantitative risk and 
safety methods/models is to discover and describe 
primary causes of aircraft accidents in order to prevent 
future accidents. In addition, the causal 
methods/models can evaluate the benefits of different 
risk interventions from safety technologies. An 
exhaustive research of aviation safety methods/models 
(GAIN Working Group B, 2003; Netjasov and Janie, 
2008) is beyond the scope of this study. However, the 
key concepts of some popular methods/models are 
briefly reviewed and compared in the context of the 
current objectives of aviation accident modeling and 
portfolio impact assessment. 

Methods. The Fault Tree (FT) method (Vesely et ah, 
2002) is a top-down approach, starting with a top event 
that is a failure or a hazard with serious consequences, 
followed by several paths representing different 
combinations of events or causes described with logical 
operators (AND, OR, etc.). The logic in FT is binary. 
The probability of occurrence and non-occurrence of 
each event is assigned, the probability of the top event 
is then computed. The FT method is a causal analysis 
and is favored when combinations of failures are 
expected, and is mostly used for quantitative risk and 
reliability studies, such as the failure analysis of 
systems. 

The Event Tree (ET) method (Stamatelatos and 
Dezfuli, 2011) is a forward method beginning with an 
initiating event or condition. ET is used to model 
chronological sequence of events and consequences (or 
outcomes) of the initiating event through a series of 
potential paths. Each event has a finite set of states, 
commonly two states, with assigned probabilities, the 
probability of various possible outcomes can then be 
computed. An ET is particularly useful in developing 
multiple safeguards to reduce the unwanted 
consequences of the initiating event. ET is a 
consequence analysis and depicts the sequence 
dependencies, which differs from FT. However, Event 
Trees are often used together with Fault Trees that 
analyze the causes of the hazardous event that initiates 
the accident sequence. 

An Event Sequence Diagram (ESD) method 
(Stamatelatos and Dezfuli, 2011) is a scenario analysis 
used to describe a set of possible risk scenarios 
originating from an initiating event. The initiating 
event is typically an anomaly (event causing deviation 
from normal operation) or a system component failure. 
Along each scenario path, pivotal events are identified 
as either occurring or not occurring. Each scenario 
leads to a final end state, indicating the outcome of that 
scenario. The concept of an ESD is similar to an ET, 
both illustrate the progression of events over time. 
However, the scenarios are usually kept broad, the 
detailed causes or specificities of these events are not 


directly of interest at the scenario level. An ESD, like 
ET, is often combined with FTs that model the details 
of initiating and pivotal events in ESD. 

A Bayesian Belief Network (BBN) is a directed 
acyclic graph that provides a network-based framework 
to represent causal models for reasoning under 
uncertainty (Korb and Nicholson, 2004). A BBN 
consists of a set of nodes representing causal variables, 
and a set of the directed arcs (or links) connecting the 
nodes showing the causal dependencies. Each variable 
has a finite set of mutually exclusive states. The causal 
relations between variables are expressed in terms of 
conditional probabilities. The probability computation 
is based on Bayes’ theorem (Jensen and Nielsen, 
2007). Unlike the FT and ET, the BBN is able to 
represent the multi-dependencies between causal 
factors that lead to the final consequence in complex 
systems. Additionally, BBNs has been used as a 
decision-support tool through the application of the 
Bayesian Decision Theory and the Influence Diagram 
(ID) with decision nodes and utility nodes in the 
networks. 

Models. The Aviation System Risk Model (ASRM) 
(Luxhoj, 2004) is a decision support system designed 
to estimate the system risk and assess the impacts of 
new safety technologies insertions/ interventions using 
traditional BBNs and ID. The ASRM contains a 
collection of BBN models that model the interactions 
of aviation system risk factors focusing on the human- 
induced causal factors. The Bayesian probability and 
decision theory are used to quantify the accident 
likelihood and to evaluate impacts of multiple new 
safety technology insertions/interventions. Models in 
ASRM are accident-based case models in selective 
aviation accident categories. 

The Causal Model for Air Transport Safety 
(CATS) models (Ale et ah, 2009) the gate-to-gate 
causes of commercial air transport accidents and the 
safeguards in place to prevent hazards leading to 
accidents. The purpose of CATS is to quantify the risk 
of air transport estimating an accident probability per 
flight. The CATS models the underlying causes in the 
complex aviation system by constructing separate 
causal models for each considered accident category 
(loss of control, collision, etc.) in each flight phase. 
The CATS combines three modeling techniques in a 
single model; ESDs, FTs and traditional BBNs. The 
ESDs and the FTs are converted into BBNs and from 
that the integrated CATS BBN is built to compute the 
probability of an accident. 

The Quantitative Risk Assessment System 
(QRAS) (NASA HQ/OSMA, 2002) is a comprehensive 
PC -based Probabilistic Risk Assessment (PRA) tool for 
conducting an integrated system safety, reliability and 
risk assessment of safety critical systems. QRAS 
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technical approach is to divide a complex system’s risk 
model into time-phases and to allow different failure 
modes being modeled in each operational phase along 
the mission time-line. QRAS employs ESDs, ETs and 
FTs, and can aggregate the probabilities of all initiating 
events to obtain the probability of failure at various 
levels - system, subsystem, component, and failure 
mode. QRAS includes a rich suite of quantification 
models to specify the probability distribution for the 
events, and the uncertainty distribution on the 
probability. 

While Fault Tree and Event Tree methods are 
common techniques for analyzing large complex 
integrated systems, their linear causal or time order 
approach fails to adequately represent the uncertainty 
and multi-dependencies between causal factors in a 
complex system like an aviation accident. In contrast, 
Bayesian networks provide a framework that represents 
the logical multiple cause-effect relationships among 
factors (or variables) and captures the uncertainty in 
the dependencies between factors using conditional 
probabilities. In addition to a rigorous mathematical 
treatment for complex accident causal modeling, a 
BBN has the ability of being an Influence Diagram as 
a decision tool to evaluate the effect of new safety 
technologies on the model. Moreover, inference on a 
BBN can be conducted by entering the evidence when 
the knowledge of node states is obtained through other 
means, such as empirical evidence or experiential 
database. Although there are some unique features in 
ASRM, CATS, and QRAS, their underlying 
methodologies and software tools are not readily 
applied to achieving the objectives of having 
generalized accident models inclusive of human- 
environment- and systems-induced causal factors, and 
of assessing the technology portfolio impact on the 
aviation safety. In summary, the authors adopt the use 
of BBNs as the fundamental technique to model critical 
aviation safety issues and to assess AvSP technology 
portfolio on the safety risk reduction. 

The Choice of a BBN Software 

For the modeling exercise being considered, it 
needs a Bayesian causal modeling tool with a graphical 
front end for BBNs’ construction and a computational 
engine for the Bayesian analysis. A variety of BBN 
software packages are available from both commercial 
vendors and the public -domain. No attempt was made 
to provide a list of the Bayesian causal modeling tools 
or to rank these packages, instead (Korb and 
Nicholson, 2004) and (Murphy, 2012) are offered for 
learning more of the BBN software packages. This 
section will focus on the desired features of a BBN tool 
for its intended use for the given task. It is authors’ 
viewpoint that the following features are required or 
highly favored: 


(1) Influence diagrams capability: BBNs can be 
extended with decision and utility nodes to 
form an influence diagram for decision 
making in the context of assessing technology 
portfolio impact and evaluating the aviation 
safety risk. 

(2) Modular and hierarchical capability: BBNs 

for aviation accidents models will be large 
and complex. With modular designs, a 
complex system can be efficiently built by 
combining modules (or sub-models), which 
are constructed simultaneously by different 
modelers. The structured methods of 
modularity and hierarchy help control the 
complexity and the development of large- 
scale BBNs. If a BBN has some structure or 
better organization, the computational 
performance is likely enhanced. 

(3) Computational efficiency/performance: For a 
large complex network with many nodes and 
dependencies, the probabilistic calculations 
can be tedious and very difficult. The 
software tool must implement efficient BBN 
analysis algorithms to solve complex 
problems. 

(4) Maturity: The tool should have undergone 
rigorous development and testing processes, 
and have proven record of its successful 
applications in a wide range of modeling 
domains, including aviation areas. 

(5) Application Program Interface (API): For the 
potential task growth, it is desirable that the 
software’s API is available for different 
popular languages, such as C++, Java, Visual 
Basic, and can run on a broad platform, 
including Windows, Mac, and Linux 
operating systems. The API enables a 
modeler to include BBN operations in his 
application programs, and allows the 
interaction between BBNs and applications, 
such as Microsoft Excel or Access. 

(6) Software maintenance and technical support: 
The tool should be well documented and 
maintained by the software developers to 
ensure the software’s integrity and quality. A 
responsive and experienced technical support 
team is important to the end users. 

(7) Cost for multiple licenses at different user 

locations: It is envisioned that aviation 

accident modeling tasks are multiple and may 
be conducted by NASA personnel at different 
geographical locations. The available license 
format and its cost-effectiveness are also in 
consideration. 

Based on the selection criteria for the intended use, 
the Hugin software has many advantages over 
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competing tools, including Netica and BNet. The 
attractive merits of Hugin include the ability to 
represent and efficiently solve complex decision- 
making problems with influence diagrams, and to 
allow complex domains to be described in terms of 
inter-related modules using object-oriented BBNs 
(OOBNs). The following section will introduce the 
key concepts of an OOBN, and demonstrate its 
application in a loss-of-control accident modeling. 

Application of OOBNs for Accident Modeling and 
Portfolio Assessment 

An OOBN (Roller and Pfeffer, 1997) is an 
extension to BBNs with a set of basic object (i.e., a 
standard variable node) and complex object (i.e., an 
instance node). An instance node is an instantiation of 
a network class, or an abstraction of a network 
fragment into a single unit. An instance node connects 
to other nodes via interface nodes- input and output 
nodes. Represented as an instance node, the 
encapsulated network (or sub-model) becomes 
modular. Modularity facilitates the reuse of nodes and 
network fragments of an object in the same network or 
a different network. Another trademark of the object- 
oriented approach is the ability to define classes that 
inherit the properties of other classes plus additional 
attributes of its own. Furthermore, in contrast to a 
traditional BBN represents only the probabilistic 
relationship among a set of variables at some point in 
time, an OOBN is able to model temporal relationships 
among variables for dynamic structures. In summary, 
the salient features of OOBN modeling include 
abstraction, encapsulation, hierarchy, inheritance, 
interface, and modularity. 

Exhibit 1 is a top-level depiction of the generalized 
loss-of-control accident framework (LOCAF) 
constructed by the Hugin software. LOCAF is a large 
and complex causal model comprising causal and 
contributing factors to the loss-of-control accidents 
from three different domains, namely, the aircraft 
system, human (both flight crew and ground 
personnel), and external atmospheric environment. 
The details of the development, quantification, and 
analysis of LOCAF are given in (Ancel and Shih, 
2012) and (Luxhoj et al., 2012). The discussion here is 
centered on illustrating the application of OOBN 


concepts and BBN decision-making in LOCAF. In 
addition to the oval-shaped chance nodes for standard 
random variables, the top-level topology of LOCAF 
includes three instance nodes displayed as rounded 
rectangles representing encapsulated sub-networks. 
Every instance node has a descriptive node name 
representing the internal sub-network that is hidden 
from the top-level view. Meanwhile, every instance 
node contains interface nodes that are visible and link 
to other nodes in the top-level view or/and other sub- 
networks. In this example, three sub-networks are 
regarded as three sub-models in BBNs, respectively 
describing the causal contributions to the LOC due to 
the flight crew conditions before entering the cockpit, 
environmental conditions, and aircraft system 
component failures. 

Exhibit 2 displays the environmental sub-network, 
while Exhibit 3 and Error! Reference source not 
found, show two separate sub-models in the System 
Component Failure (SCF) domains in LOCAF, 
accounting for the causal contributions from the 
aircraft systems and maintenance. There are two 
output nodes drawn with thick borders in the 
environmental sub-model, which are made visible in 
the green-colored instance node of Exhibit 1, the top- 
level model, and of Exhibit 3, one of SCF sub-models. 
It should be noted that only one output node (and a 
different one) is used to connect to other node(s), 
respectively, in Exhibit 1 and Exhibit 3. This 
demonstrates the modularity and reusability of the 
environmental sub-model, as well as the network 
flexibility that simplifies the model construction. The 
concepts of hierarchy and multi-level of abstraction are 
manifested in system component failure instance node 
(in Exhibit 1) to which two deeper levels of sub- 
networks are attached. The successively embeded sub- 
layer networks are shown in Error! Reference source 
not found., and then Exhibit 3 and Error! Reference 
source not found.. Applying this OOBN approach, 
LOCAF top-level view reveals all the essential 
components of this model, and spares the overall 
complexity of the network for better communication 
and explanations. The complex sub-models are hidden 
in the instance nodes. Models reusability and 
techniques of encapsulation lessen the amount of work 
involved in building such a large network. 
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Exhibit 1 . Top-level Depiction of the Generalized Loss-of-control Accident Framework (LOCAF). 



Exhibit 2. Environmental Sub-model for LOCAF. 








6 


International Annual Conference of the American Society for Engineering Management 


Exhibit 3. System Component Failure Sub-model for Aircraft System. 






Object-oriented Bayesian networks for aviation accident modeling and technology portfolio impact assessment 


7 


Exhibit 4. System Component Failure Sub-model for Maintenance. 


FAA Certificate Mgmt 
and Oversight 


Manufacturer Management 
Conditions 



Exhibit 5. Multi-level Abstraction of the System 
Component Failure Network. 



There are many new safety products in the 
technology portfolio, the intervention/mitigation of 
these safety products is introduced into LOCAF as 


rectangular-shaped decision nodes. With the products 
in decision nodes, the model is now referred to as an 
Influence Diagram. A decision node is connected to 
those causal variable nodes whose probability 
distributions are directly affected by the decision policy 
of either implemented or not-implemented. As shown 
in Exhibit 1- Exhibit 3, the decision nodes appear in 
both top-level network and sub-networks in LOCAF. 
The comparisons of computed likelihood values of the 
occurrence of LOC (LOC Accident node in Exhibit 1) 
with and without safety products give the projected 
impact of safety technologies on the LOC risk. In 
addition, the sensitivity analysis can be performed on 
LOCAF to rank the most influential causal nodes to the 
LOC node. This information helps strategize the safety 
technology investment and establish an effective 
technology portfolio. 

Conclusions 

NASA AvSP takes on the challenge of developing 
a technology portfolio to meet the anticipated increase 
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in aviation safety issues, particularly, arising from the 
transformation of current airspace transport system to 
the NextGen operation. This paper presented a brief 
review on aviation risk and safety methods/models, and 
the criteria for selecting an appropriate methodology 
and software tool for the aviation accident modeling 
and portfolio impact assessment. The Object-Oriented 
Bayesian Belief Network (OOBN) approach was very 
suitable when modeling complex aviation accidents (or 
safety issues) that are influenced by interactions of 
different domains, including human operators, 
atmospheric environment, and aircraft systems and 
components. Techniques of encapsulation and model 
reusability add to the simplification, flexibility and 
portability in model development. For an illustrative 
purpose, a loss-of-control accident model was 
introduced to show the benefits of OOBN and the 
evaluation of safety technology portfolio. 
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